Journal d'investigation en ligne et d'information‑hacking
par Rédaction

Reflets coincidentally invites itself in the Ukrainian police cars

The video surveillance cameras were not protected

Looking for cameras accessible via the Internet to follow the conflict, Reflets found itself in the cars of the Kyiv police, with sound and image in real time. The risks presented by these misconfigurations prompted us to warn the authorities. In less than four hours, the feeds were cut off.

Reflets, embeded in a police car in Kyiv. - © Reflets

It all starts with a work of Reflets on Ukrainian video surveillance cameras. Can we document the war through these cameras? Are they sufficiently protected? Could a possible vulnerability or a bad configuration allow a third country to collect intelligence?

A systematic collection of the cameras available in the country began on February 27, 2022. Testing all of the 55,007 pieces of equipment that can be reached via the Internet will have taken 48 hours.

Without much originality, and as in most countries, at least 5% of them are accessible using default usernames and passwords. These usernames and passwords must be changed during installation, but installers do not always worry about this. You can read our previous article on this subject here.

It is while performing these checks that we were surprised to watch a particular video stream: that of a camera located in a moving car. Kyiv's avenues, bridges, military checkpoints follow one another despite the curfew and no sooner have we realized what is happening than a second camera falls into our net. This time, the driver and the passenger are visible in the picture:

A police car. In Ukraine. In Kyiv.

The address of the third camera discovered seems to indicate that all the equipment is connected to a single network. A thorough analysis finally allows us to access more than thirty police vehicles in the city.

Views from inside the cars, views from outside, radio messages, telephone conversations, everything is freely available to whoever takes the trouble to look. Law enforcement movements, location of military equipment and other sensitive information could fall into the wrong hands.

En route, a filtering roadblock - © Reflets
En route, a filtering roadblock - © Reflets

The policemen are often equipped with bulletproof vests, but the atmosphere is still pretty relaxed. In one of the cars, the policemen pass the time by watching a poorly dubbed series while wolfing down chips and peanuts.

Nibbling while watching series before the possible confrontation in the streets of Kyiv - © Reflets
Nibbling while watching series before the possible confrontation in the streets of Kyiv - © Reflets

During the Syrian revolution, Reflets had participated in an operation with Telecomix, aiming at diverting the Internet traffic of Syrians to bring them to pages explaining the dangers of the state surveillance of Bashar el-Assad. This time, it seemed important to us to warn the Ukrainian authorities about the risks incurred by the Kyiv police and the Ukrainian defense of the capital. A journalist from Reflets went to the embassy with a document summarizing our findings...

If we could follow, live, the movements of the police cars, the location of the checkpoints, the conversations of the policemen and the radio exchanges, the Russian intelligence could too. What to do with our discovery?

So we decided to send an emissary to the Ukrainian embassy in Paris on Tuesday. In front of the building, bouquets of flowers in the colors of Ukraine, an icon of the Virgin and candles. Young men are waiting, eager to join the legion of foreign volunteers decided by the Ukrainian president.

An employee approaches our correspondent on the sidewalk. The latter explains that he has an important information to transmit. After a brief hesitation, the guard rushes into the embassy. He returns and says to wait. A few minutes later, a man in a suit arrives, he does not introduce himself. After reading the document explaining the problem, and seeing the screenshots of the cameras, he exclaims: "But this is very important. I have to tell Kyiv immediately, it's incredible. How did you see that, what is Reflets? " After some explanations about info-hacking, he says "really, thank you, thank you. I'll pass it on immediately" and disappears into the building at a run.

And 3 hours and 40 minutes later, the cameras cut out one by one. Some are removed, others now have a real password... This story reveals in passing that the chain of command works very well. Three hours and forty minutes between the alert at the Paris embassy and the action of the IT department of the Kyiv police, in the middle of a war and under the bombs, hats off to you!

1 Commentaire
Une info, un document ? Contactez-nous de façon sécurisée